Cloud Security Automation

In November 2020 I was lucky to have had the chance to take part in my 2nd SANS course of the year: SEC540 - Cloud Security and DevOps Automation - as part of the SANS Amsterdam. Unlike the first one, this was conducted in a remote-only format that they call LiveOnline. I liked it so much that I wanted to share it. If interested, you can read more about my experience of SEC530 - Defensible Security Architecture - in this post which was an on-site/in-person course as part of the SANS Prague in March 2020.

Pre-Course

About a week before the course was set to begin, I received the Course Booklets via UPS delivery. It was a bit surprising that they did not send an email with the tracking ID, so I was caught off-guard when I was told I needed to pick it up in a nearby UPS affiliate shop. Nevertheless, it was quite fast and efficient, so there were no issues there.

Since this was a LiveOnline course, I needed to download a few things from my SANS account in advance, that normally would be distributed on USB sticks at the start of an in-person course. Luckily they send numerous email reminders about this, and there are also great instructions available online, such as THIS document.

The most important item to download was of course the course VM for the Lab Exercises. For this course, it was a 9 GB iso file which had the compressed VMWare virtual machine image in it. This VM required quite substantial resources, so I felt lucky to have a work laptop that has 32 GB RAM with an 8 core Intel i9 CPU and 1 TB of SSD storage. The RAM was especially critical for the VM, it needed at least 12 GB, but I gave it 16 just to be sure. For students whose machine was no powerful enough they had an AMI image in AWS with a Cloudformation template to set it up quickly.

In addition, we needed to download and set up Slack for chat support during the course and GoToTraining for the actual streaming of the course content. I found that for whatever reason the GoToTraining session was spiking my laptop’s CPU usage to a point that it was almost overheating, so I decided to use my Table for the course streaming, which worked quite well.

Last but not least, I also downloaded the course booklets in pdf format, however they were heavily protected with watermarks and a complex password. Copy-pasting was also disabled. It would have been nice if I could open the pdfs on my tablet and use my pencil to write on it, but since I also had the printed booklets this was a minor annoyance.

Course Content

The first day started with an introduction to the principles of DevOps and how Security can be integrated into CI/CD pipelines. In between the topics, we were getting familiar with the student VM which is home to the Lab Exercises. I have to admit that at first I was quite overwhelmed by the complex setup that’s shipped in this single VM image. There were a surprising number of services running in docker containers behind the scenes, such as Jenkins, GitLab and Hashicorp Vault.

As part of the day 1 labs we practiced the deployment of a web service using Jenkins. We also implemented improved security via pre-commit scanning and Security Analysis (SAST/DAST) as part of the CI/CD pipeline. The next day we set up the environment that paved our journey to the cloud (AWS) relying on concepts such as Infrastructure-as-Code ( Cloudformation) and Configuration Management ( Puppet). On day 3 we embarked on a journey to harden our cloud infrastructure with tools that can do Security Scanning and Continuous Monitoring and Alerting ( Grafana & CloudWatch). We also looked into secrets management best practices on-premise and in the cloud via Hashicorp Vault. On day 4 we fixed some vulnerabilities in our web service using a blue/green deployment setup to minimize downtime. We also looked into protecting microservice APIs using serverless functions that aim to manage authorization and access control. On the final day we looked into certain concepts related to compliance in cloud environments and explored technologies such as AWS WAF, CloudMapper and Cloud Custodian.

I have to admit that the lab environment that’s set up in the Student VM was pretty impressive to me. There were so many moving parts to it, yet everything worked more or less seamlessly. The built-in Wiki always provided detailed instructions with copy-paste support to allow you to work through each lab even if you were unfamiliar with the technology. If you were stuck you could get help very quickly from the Teaching Assistant, or the Instructor as well. Overall they did an excellent job over the 5 days of the course.

NetWars

This post would not be complete without mention of the NetWars arena which I was very keen to take part in. During #SEC530 in March 2020, the NetWars arena was open only on Day 6 when we competed against each other in teams. Thanks to this course, I was invited to several free NetWars events afterwards, such as Core NetWars and the Mini NetWars Missions 1-2-3-4.

I am quite certain that these free NetWars sessions helped me immensely to hone my CTF skillz, that would come in handy during #SEC540 where I had 4 full days to compete. I jumped to the front of the leader board already after the first night, as I stayed up until 3 am working on the NetWars questions. This was a bit reckless as I was a bit tired the day after, so my focus on the course material was not the best, but a few rounds of coffee helped with that.

In the end I managed to keep my position on the top of the leaderboard which made me feel really proud as I’ve worked really long and hard during the whole week. I even managed to solve some of the more advanced 1337 challenges that had no hints, just a description of what was required and we were free to improvise the solution.

Two months later my 2nd NetWars coin has finally arrived by post 🤩

Conclusions

Initially I was quite hesitant about attending SEC540 in the LiveOnline format as I was not sure if it would work well. In the end I was left with only positive feelings about it. The course content was excellent. The delivery was smooth and help was always available through the Slack channel. If someone wants to learn about DevOps, Cloud and Security, I highly recommend this SANS course!

P.S.

On the 1st of February, 2.5 months after my class I successfully passed the GIAC exam and became GCSA certified! 🎉